• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-34481 Another Windows Print Spooler Remote Code Execution Vulnerability?
Print Spooler Remote Code Execution Vulnerability | CVE-2021-34481

On July 15, another remote code execution vulnerability (CVE-2021-34481) was added to the list of print spooler vulnerabilities commonly known as PrintNightmare. Microsoft has published a KB article on Aug 10 with standard guidelines to fix the Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481). Let’s see How to Fix CVE-2021-34481, another Windows Print Spooler Remote Code Execution Vulnerability.

Introduction To Point And Print:

The term ‘Point and Print’ refers to the capability of allowing a user to create a connection between his Windows client machine and a remote printer without providing any installation media to automatically download ll necessary files and configuration information from the print server to the client. Read more about the Point and Print here.

Summary Of CVE-2021-34481:

According to Microsoft,” This is a remote code execution vulnerability that exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The vulnerability tracked under the CVE-2021-34527 ID allows an attacker to connect the print spooler service directly or remotely if he has limited access to the network. The attacker can get access to the operating system through the print spooler service since the Print Spooler has direct access to the kernel of the operating system. By exploiting the PrintNightmare vulnerability, the attackers can run remote code with SYSTEM privileges and ultimately attack the Domain Controller.

How To Fix This Windows Print Spooler Remote Code Execution Vulnerability – CVE-2021-34481?

On Aug 10, Microsoft has completed its analysis and published a security update to address this vulnerability. Microsoft has rolled out a patch for versions of the Windows operating system and asked to install the patch immediately.
Before the updates, the default behavior of Point and Print was set with the least privileges. This lets users install printer drivers without administrator privileges. Microsoft has addressed this issue by changing the default Point and Print driver installation privileges to admin. After applying the patch, users with less privileges are restricted from adding or updating printers. Only administrators can perform the task. Installation of this security update with default settings will address the publicly documented Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481).
This update will not allow non-administrators to do the following:

  1. Install new printers using drivers on a remote computer or server
  2. Update existing printer drivers using drivers from remote computer or server

Note: If you are not using Point and Print, you can probably ignore this security update as this change will not affect you in any way.

There are few options if you want to override the security update changes.

#1. Registry Settings To Disable The Security Update:

Suppose you want to continue with your previous setup where you need to allow users with less privileges to install and update printer drivers. In that case, you can disable the behavior of security updates by creating a registry key. But, bear in mind, this will expose your environment to the publicly known Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481). We recommend using this registry feature while you adjust your environment. Microsoft has confirmed in its KB article KB5005652 that Windows updates will not set or change the registry key. You will have to set the key either before or after installing updates after Aug 10.

Registry locationHKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
DWord nameRestrictDriverInstallationToAdministrators
Value dataDefault behavior: Setting this value to 1 or blank or if the key is not defined or not present will require administrator privilege to install any printer driver when using Point and Print. This registry key will override all Point and Print Restrictions Group Policy settings and ensure that only administrators can install printer drivers using Point and Print from a print server.
Setting the value to 0 allows non-administrators to install signed and unsigned drivers to a print server but not override the Point and Print Group Policy settings. Consequently, the Point and Print Restrictions Group Policy settings can override this registry key setting to prevent non-administrators from installing signed and unsigned print drivers from a print server.
Restart requirementsNo restart is required when creating or modifying this registry value.

You can also automate the registry settings. Follow these steps to automate the the addition of the registry value:

  1. Open the PowerShell or cmd.exe with admin privileges.
  2. Issue this command: reg add “HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint” /v RestrictDriverInstallationToAdministrators /t REG_DWORD /d 1 /f

Note: If you have problem in installing the printer driver with administrator privileges too, disable the ‘Package Point and Print’ Group Policy.

#2. Permit Users To Only Connect To Trusted Print Servers:

If your environment demands to disable the security update, the following fix can help secure your environment. However, you can’t completely address the Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481).

  1. Open the Group Policy Management Console (GPMC) from Start > Administrative Tools > Group Policy Management..
  2. In the GPMC console tree, navigate to the domain or organizational unit (OU) that stores the user accounts you want to disable the security updates.
  3. Right-click the appropriate domain or OU, click Create a GPO in this domain, and Link it here. Enter a name for the new Group Policy Object (GPO), then click OK.
  4. Edit the GPO that you created by right-clicking on it.
  5. In the Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, click Local Computer Polices, and then click Printers.
  6. Edit the Point and Print Restrictions by right click.
  7. In the Point and Print Restrictions dialog, click Enabled.
  8. Select the Users can only point and print to these servers checkbox.
  9. Enter the fully qualified server names with a semicolon (;).
  10. In the ‘When installing drivers for a new connection’ box, select Show warning and Elevated Prompt.
  11. In the ‘When updating drivers for an existing connection’ box, select Show warning and Elevated Prompt.
  12. Click OK.

#3. Permit Users To Only Connect To Trusted Print Servers With Specific Package Point:

  1. Open the Group Policy Management Console (GPMC) from Start > Run, then type GPMC.MSC and then press Enter.
  2. In the GPMC console tree, navigate to the domain or organizational unit (OU) that stores the user accounts you want to disable the security updates.
  3. Right-click the appropriate domain or OU, click Create a GPO in this domain, and Link it here. Enter a name for the new Group Policy Object (GPO), then click OK.
  4. Edit the GPO that you created by right-clicking on it.
  5. In the Group Policy Management Editor window, click Computer Configuration, click Policies, click Administrative Templates, click Local Computer Polices, and then click Printers.
  6. Enable Package Point and Print – Approved servers and select the Show… button.
  7. Enter the fully qualified server names. Separate each name by using a semicolon (;).

This is how you can fix CVE-2021-34481 the Windows Print Spooler Remote Code Execution Vulnerability. It is always good to install all the security patches. It protects your environment from new emerging security vulnerabilities.

Thanks for reading this post. Please visit our site to read more about technology and cybersecurity topics.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.